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ABSTRACT 



The use of a password as the only traditional user authentication 
mechanism has been criticized for its weakness in computer security. One 
problem is for the user to select short, easy to remember passwords. Another 
problem is the selection of a password that is too long which the user tends to 
forget. Long passwords tend to be written down carelessly somewhere in the work 
space. Such practices can create serious security loopholes. 

Consequently, this is a survey of alternative password mechanisms and 
other improved devices that are now available in the marketplace to enhance 
computer security. It taxonomizes the existing inventory of user authentication 
mechanisms such as biometrics, challenge/response, password, smart card and 
token. 
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I. INTRODUCTION 



A. COMPUTER SECURITY 

When one discusses computer security issues, there are four areas that are equally 
important in the computer security field: memory protection, file protection, general 
object access control, and user authentication. (Pfleeger, 1989) 

Memory protection is important for multi-user environments today and 
increasingly important for the future. This is due to the increase in networking such as 
LAN and WAN. Advances in memory protection include mechanisms such as fences, 
base/bounds registers, tagged architecture, paging, and segmentation which are useful for 
machine addressing and protection. (Pfleeger, 1989) 

File protection schemes include general-purpose operating systems which are often 
based on a three-or four-level format (for example: user-group-all). This format is 
reasonably straightforward to implement, but it restricts access control to fewer levels. 

Access control is addressed by the access control matrix or access control fists 
organized on a per-object or per-user basis. It is flexible to use but the mechanism can be 
difficult to implement efficiently. 

User authentication is an issue that becomes more important as unacquainted users 
seek to share facilities through networks. 

This study surveys the known techniques, practices and mechanisms of user 
authentication. It orders these in a taxonomy of methods, including passwords and 
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authentication mechanisms such as token, smart cards and bio-technical devices (such as 
retina scans and finger prints). The resulting inventory, will be of value to computer 
security analysts, computer security managers and designers of operating systems. This 
paper will also attempt to tie in the NCSC Orange book and its demands for 
authentication mechanisms. Commercial packages to enhance user authentication will be 
reviewed as well. 

B. ISSUES 

With recent news coverage documenting the activities of hackers, the Department 
of Defense has impetus to strengthen authentication of the users of its information 
systems. (Littman, 1996; Schorow, 1996; Alexander, 1995; Baig, 1994; Borowsky, 1994; 
GAO testimony, 1991). For most computer systems, password protection represents the 
first line of defense against an intruder. Typically, each user must enter a user name and 
password to gain access to the system. But password protection is notoriously fallible 
due to such reasons as users tending to select not only easy to remember passwords but 
also writing them down where they can be seen. For these reasons, numerous 
technological refinements have been created to strengthen the authenticity of passwords. 
Just as security administration should be easy for administrators, so too should security 
be easy, simple and unobtrusive for end-users. That is an end-user shouldn’t be aware 
that any extra security safeguards are in effect. If users perceive security as requiring 
additional effort on their part they may look for ways to get around it. 
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Unauthorized intrusions into Department Of Defense (DoD) computer systems 
was reported by the Government Accounting Office (GAO) during its testimony on 
computer security before the United States Senate. This testimony reported hacker 
intrusions into DoD unclassified sensitive computer systems during Operation Desert 
Storm/Shield. Between April 1990 and May 1991, computer hackers from the 
Netherlands penetrated 34 DOD sites. At many of the sites the hackers had access to 
unclassified, sensitive information on such subjects as military personnel (personnel 
performance reports, travel information, and personnel reductions), logistics (descriptions 
of the type and quantity of equipment being moved), and weapons systems development 
data. Among the reasons for this possible intrusion was poor password management. 
(Brock, 1996) 

As unauthorized access to computer systems continues to mount, the need for 
protection of sensitive information is greater than ever before. The threat is definitely 
there. (Littman, 1996) 

Government agencies, small businesses and medium-size corporations are 
vulnerable to penetration by illegal users. DOD sensitive information, data, sources, 
resources, mailing lists, corporate and trade secrets, expansion plans, marketing 
strategies, graphs, profit and loss statements, correspondence, and employee records are 
there for the taking. (Alexander, 1995; Littman, 1996) 
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n. USER IDENTIFICATION AND USER AUTHENTICATION 



Controlling access to a computer system assists a computer security manager and 
system administrator in monitoring authorized users, monitoring and catching 
unauthorized users, and monitoring the various operations of the systems. (Russell and 
Gangemi Sr., 1992) 

The two step process in computer security terms is called the identification step 
and the authentication step (Russell and Gangemi Sr., 1992). To ensure that only an 
appropriate user has access to a computer system, a user is required to identify himself 
with a user name and authenticate himself with a password. 

Identification is not only a way to tell who the users of the system really are but 
serves as a check for each subject or object access request (National Semiconductor, 
1996). 

Authentication, on the other hand, is the verification of a user’s identity. In just 
about any multi-user system, users must identify themselves and have the system 
authenticate their identity before they can use the system because accurate identification 
of users is the key to individual access right. (National Semiconductor, 1996) Most 
operating systems and computer system administrators have learned to apply reasonable 
but stringent security measures to lock out illegal users before they can gain to their 
systems. (Gips, 1995) 
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The analogy of the identification and authentication in computer systems happens 
in our daily life. Bank employee or staff often ask for identification of their customers 
such as driver’s license before carrying on any financial transactions at the bank. The 
library staff require library card identification before allowing the library patron to check 
out any library materials. Military installations require military identification card before 
allowing military member to enter the commissary or the Navy Exchange. 

People have developed systems of authentication using documents, voice 
recognition, and other trusted means of identification but in computer systems the 
situation is less secure (National Semiconductor, 1996). Anyone can attempt to log into 
a computing system. For example, unlike a professor who may recognize a student’s 
voice and give out grades over the telephone line, the computer cannot recognize 
electrical signals from one person as being any different from those of anyone else. Thus, 
most authentication systems must be based on some knowledge shared only by the 
computer system and the user. 

Methods of user authentication are numerous. Here are three most commonly 
cited in computer security literature: 

A. The password (Something You Know) 

B. The token, key, or smart card (Something You Possess) 

C. Personal characteristics ( Something You Are). (Lawson, 1994; Russell 
and Gangemi Sr., 1992; Pfleeger, 1989) 
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A. THE PASSWORD (SOMETHING YOU KNOW) 

The theory is that if you know the secret password for an account, you must be the 
owner of that account. The problem with this theory is that the password may be a stolen 
password, one that was written down near a computer terminal and was read by a 
passerby. The password was a simple word which can be easily arrived at. (Tuomy, 
1995) 

B. THE TOKEN, KEY, OR SMART CARD (SOMETHING YOU POSSESS) 

The theory is that if a user has the key or equivalent, he or she must be the owner 
of it. The problem with this theory is that users might lose the key, it might be stolen 
from them, or someone might borrow and duplicate it. Electronic keys, badges, and 
smart cards are gaining acceptance as authentication devices for access to buildings and 
computer rooms (McCurley, 1995). 

Another example is the use of automated teller machines (ATMs) cards. The 
ATM card is popular and people are increasingly familiar with this type of authentication. 

C. PERSONAL CHARACTERISTICS (SOMETHING YOU ARE) 

These signs are easily identifiable and differ from person to person. Using 
mechanisms called biometric techniques, the system will compare a user’s particular trait, 
such as a fingerprint, handprint, retina pattern, voice, signature or keystroke pattern, with 
the one stored for the user and determine whether he or she is who they claim to be. 
Although the biometric system occasionally rejects valid users and accepts invalid ones, it 
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is generally quite accurate. The problem with these authentication systems is that some 
procedures are still not widely accepted. (Deane, et al., 1995) 

The above mentioned methods of authenticating identifiable data will be 
elaborated upon in the following chapters on biometric recognition. 
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HI. TRADITIONAL PASSWORD METHOD 



Passwords are code words chosen by computer users or generated or assigned by 
the computer system. Passwords are used for authentication because they are easy to use 
and used properly they provide reasonable assurance. Password usage is assumed to be 
known only to the user and the system. As mentioned earlier, in some cases a user 
chooses passwords, while in other cases they are assigned by the system. The length and 
format of the password also vary from one system to another. (Fisher, 1984) 

The use of passwords is fairly straightforward. Initially a user would enter some 
piece of identification, such as a name or an assigned user ID; this identification can be 
available to the public or easy to guess, because it does not provide the real security of 
the system. The system then requests a password from the user. If the password matches 
that on file for the user, he is authorized to use the system. If the password match fails - 
i.e., the user may have mistyped it - the system requests the password again. (Pfleeger, 
1989) 

There are many excellent suggestions for choosing appropriate passwords. These 
suggestions will prevent unauthorized entry into the computer system even if the intruder 
uses the “brute force attack” technique (which is a technique that uses automation to 
systematically try to guess passwords). (Russell and Gangemi Sr., 1992) A good 
password has the following characteristics: 
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1. Composed of letters, digits, and other characters, so that the base alphabet 
for an exhaustive attack is large. A mix of uppercase and lowercase letters 
is highly recommended. 

2. Long passwords are better than short ones. Choose long passwords so that 
there are many more possibilities in case of an exhaustive attack. Most 
systems recommend passwords that are six to eight characters long. Some 
systems can take longer ones. 

3. Using non-existing names or words. A password should not be a common 
word or name, that can be found easily in a dictionary, e.g., pet names, car 
names, reverse words or letters. 

4. Passwords should not reveal a characteristic related to the possessor, such 
as a spouse’s name or a street address. 

5. Regularly change the passwords. Passwords should be frequently changed, 
so that even in the event of someone guessing it, the period of vulnerability 
is short. 

6. Written records of passwords open the possibility of being found by 
outsiders. 

7. Absolute secrecy of user’s passwords. (Gordon, 1995; Bishop and Klein, 
1995; Russell et. al., 1992) 

The above is a cogent reminder of the essentials of password choice. These are 
true and tried parameters for determining a key function in the establishing of computer 
security. 
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IV. ADVANCED PASSWORD SCHEMES 



Co mm only, passwords are used as the sole authentication mechanism to a 
computer-based information system, controlling access to an entire set of computing 
resources through the operating system. (Ahituv, et al., 1987) These passwords are 
referred to as the primary passwords. Another category of password called the secondary 
password usually is used to further control access to various resources within the system. 
These various forms of password includes the system-generated passwords (Menkus, 
1988, passphrases (Porter, 1982), cognitive passwords (Haga and Zviran, 1989), and 
associative passwords (Smith, 1987). 

A. SYSTEM GENERATED PASSWORDS 

With the system generated password, a password is automatically generated by the 
operating system and assigned to users. A common practice in this method is that a 
pseudo-random number generator arbitrarily creates a string of alphanumeric characters 
as the password. These passwords are more difficult to guess than the traditional 
passwords. But the disadvantage of this technique is that the composition of random 
alphanumerics makes them very difficult for users to remember. (Menkus, 1988) 

B. PASSPHRASES 

A variation of the traditional password system is an extended password, known as 
a passphrase. A passphrase consists of a meaningful sequence of words, e.g. “to be or not 
to be”. (Zviran and Haga, 1993) A passphrase is designed to form a compromise 
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between ease of memorability and difficulty in figuring out. The longer extended 
password of 30-80 characters becomes difficult to guess. Passphrases are generated by a 
user, allowing a meaningful sequence of words to be selected. The longer the 
passphrases, the more security they provide. 

The passphrase is one form of authentication that is secure and simpler compared 
to encryption. The passphrase is just a longer version of a password. Passphrases are 
equivalent to passwords in their ability to authenticate (Pfleeger, 1989). Research about 
password length indicates that there are relatively few long passwords that people can 
remember easily. Examples of passphrases are a line from a song or a list of countries, 
such as “roses are red violets are blue.” The disadvantage of a long password is that it 
takes more computer memory to store. The way to get around this problem is to 
condense passphrases for efficient storage. (Pfleeger, 1989) 

The passphrase can also be used for a variable challenge-response system. This 
technique has been in use by financial institutions such as banks which use this technique 
to authenticate customers who want to make transactions by phone. A customer who 
opens an account with a bank reveals certain confidential information, such as name, 
employer, spouse’s name, birth date, perhaps mother’s maiden name, and so forth. The 
bank hopes that this information is not common knowledge (although this is not certain in 
every case). When someone tries to make a telephone transaction, the bank asks the 
caller to quote from this source of confidential information. Questions will vary each 
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time a call is made so that an impersonator will not be able to know all the confidential 
information in advance. (Pfleeger, 1989) 

C. COGNITIVE PASSWORDS 

In the cognitive passwords method, the user answers a set of very unique and 
personal questions known only to the user. This method is based on a question-and- 
answer mode, where, instead of a user entering just one password, he or she is required to 
enter several passwords, one at a time, when prompted by the computer. When the user 
answers correctly to randomly chosen questions and within the security parameter 
established then he or she will be allowed to have access to the system. Usually the 
system will give a second chance after which it will reject unauthorized users. This 
dialogue or question and answer technique between the user and the computer system is 
one of the alternatives available for user authentication. 

In an earlier chapter, it was postulated that a password has to be long enough to 
make guessing by unauthorized users difficult. Unfortunately, from the user’s standpoint 
a long password is also difficult to remember. A cognitive password therefore can 
replace the traditional password system where the user has to remember one or more long 
passwords. 

Examples of cognitive password questions are: What is the first name of your best 
friend in high school? Who is your favorite actor or actress? What is your favorite 
vegetable? If you could change occupations, which new occupation would you choose?. 
These questions can be fact-based or opinion-based. (Zviran and Haga, 1990) 



13 



An empirical study to test the memorability of cognitive passwords and their 
susceptibility to guessing by people close to the users reveals that cognitive passwords are 
easier to remember by users than conventional passwords and more difficult to guess by 
others. The study reveals that only a few of the respondents remembered their 
conventional passwords, whether “self-created” or “computer-generated ” Only thirty- 
five percent of the subjects under study recalled their “self-created” conventional 
password and only twenty-three percent recalled their “assigned” passwords. The 
favored method of recall was either from memory or from writing down passwords. 
Table 4.1 below cites part of the results of the study to reveal the percentage of users 
versus “significant-others” to correctly answer a user’s cognitive password. As 
mentioned earlier, this study reaffirms the conclusion that cognitive passwords are 
difficult to guess, even by closely related people. (Zviran and Haga, 1990) 

Implementing a cognitive password technique is quite simple: simple interactive 
software is needed to handle initial user enrollment and subsequent cue-response 
exchanges for system access (Zviran and Haga, 1990). As far as time and cost are 
concerned, organizations which are interested in implementing this method should 
perform requirement , cost and benefit analyses. 
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Table 4.1. Percent of Accuracy in Using Cognitive Password Technique 
(User Respondent vs. Significant-Other) 



What is the name of the elementary 
school from which you graduated? 


User 

Respondent 

94 


Significant 

Other 

27 


What is the name of your favorite 
uncle? 


89 


41 


What is the name of your best friend 
in high school? 


91 


43 


What is your mother’s maiden name? 


97 


57 


What was the first name of your first 
boyfriend/girlfriend? 


95 


19 


What is the occupation of your 
father? 


99 


35 



D. ASSOCIATIVE PASSWORDS 

The associated password mechanism is another password mechanism requiring a 
series of passwords to verify user identity. (Smith, 1987) In this mechanism, a set of 
cues are constructed for each user and stored in the user profile. In this alternative, the 
user constructs a list of cues and responses that would be unique to the individual. A 
simple example would be the cue word “high” which would require the response “low.” 
An initial list of approximately twenty cues could be installed under a one-user account 
which would allow flexibility in changing the cues presented to the user when log-on to 
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the system. Depending upon the security of the system, a user would be required to give 
from one to several correct responses. (Zviran and Haga, 1993) 

To gain access into the system with cognitive passwords, every new user is 
assigned a user-ID and asked to create approximately twenty word associations for his or 
her user profile. Then a user desiring access enters his assigned user-ID which is 
matched against his profile. Having passed the user-ID validity test, a user is then 
presented with five randomly selected cues from the set of twenty word associations in 
his or her profile. The cues are presented one at a time and responded by the matching 
word association. Upon gathering all five responses, they are compared against the 
stored profile database of the user. If correct, access is granted. If one or more answers 
do not match, a user might be given a second chance and another set of five cues is 
randomly selected from the database. (Zviran and Haga, 1993) 

Like the cognitive password, users find memorizing associative passwords easier 
than the traditional passwords. 
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V. ADVANCED AUTHENTICATION MECHANISMS 



As mentioned in the previous chapters, a user authentication process can be based 
on three different methods: things the user knows such as passwords, things the user 
personally possesses such as tokens, and things the user is such as finger or handprints. 
(Russell and Gangemi Sr., 1992) This chapter will discuss the last two methods of the 
authentication process. 

A. TOKEN 

A token or smart card is “something the user possesses”, an object that users carry 
to authenticate their identities. In ancient times it was a common practice to carry the 
king’s ring to prove that a messenger was speaking on behalf of the king (Russell and 
Gangemi Sr., 1992). The use of a token is similar to an ED card as a means of 
authentication. We carry them to conduct our daily business, i.e., an ATM card 
(electronics means) to have access to our accounts at the banks, or a military ED card 
(manual means) to have access to military privileges etc. 

A token usually requires a two-step authentication. In a typical application, access 
to a PC is as follows: 1) the user inserts an electronic key-shaped token for log-on and 
authentication; 2) once the system recognizes the token, it prompts the user to type their 
user ID and password. When the user passes all the authentication steps then he or she 
will be allowed to enter the system. If not, he or she may be given a few more chances. 
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When multiple failures occur, then the user will be locked out of the system and an alarm 
may be sounded. (McCurley, 1995) 

In order to be effective, a token should be unique. In practice, ID cards can be 
forged but are still used for authentication. 

The “magnetic stripe credit card” is another form of token for network 
communication. These cards are the size of regular credit cards with certain information 
recorded in magnetic form on the back. The magnetic stripe is read by a sensing 
machine. This is similar to the ATM card mentioned earlier. For example, an ATM 
machine permits a customer to perform certain banking transactions at any time, day or 
night. Since the possibility of loss or theft exists, these cards have to be in combination 
with an identifying word or number in order to use the card. (McCurley, 1995) 

B. SMART CARD 

A more advanced form of token card is the smart card or chip card - which is 
similar to a token card except it has a microprocessor embedded. Not only can the smart 
card retain information to identify the possessor, it can also hold information such as a 
bank or credit balance. Such a card is not merely a passive container of data. A smart 
card can actually perform computation, such as computing the response function of a 
challenge-response system, or performing link level encryption. An example of how this 
card is used is cited as follows: 

Smith walks up to a terminal to initiate a log-on to a computing network. Smith 
enters his name on the terminal and receives the prompt for a password. Smith puts the 
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smart card in a slot and types his password. Instead of the password being transmitted in 
the clear, the password is encrypted by the smart card. The remainder of the transaction 
is decrypted at the receiving end. In this way. Smith can transact his business in the 
complete security of a computer network from any place in the world. (Pfleeger, 1989) 

Several vendors offer smart card systems. The SecurlD token from Security 
Dynamics is an example of access control security token which is used to positively 
identify users of computer systems and networks. Used in conjunction with Security 
Dynamics’ hardware or software access control module (ACM), the SecurlD token 
automatically generates a unique, unpredictable access code every 60 seconds. To 
properly identify and authenticate an authorized user, two factors are necessary. The first 
is something secret the user knows: a memorized Personal Identification Number (PIN). 
The second factor is something unique the user possesses: the SecurlD token. The 
changing access code displayed on the SecurlD token guarantees the user must have the 
token in his or her possession at the time it is used. (Security Dynamics, 1996) 

C. CHALLENGE-RESPONSE SYSTEMS 

There are two kinds of challenge response systems appearing in the market. The 
first type operates digitally; it functions much the same as a smart card, using a device 
like a pocket calculator. The user keys in the challenge, the device computes the 
response, the user reads the response in a display and enters it into the computer 
keyboard. 
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The second available challenge-response system uses a hand-held reader. The host 
computer generates a random pattern of dots that it displays on the user’s screen. The 
user holds the device up to the screen, and the device senses the dot pattern and converts 
it to a number. The device then computes a numeric response for the challenge patterns. 
From a display screen in the device, the user reads the response and keys it into the 
keyboard. (Pfleeger, 1989) 

D. BIOMETRIC TECHNOLOGY 

Another kind of authentication technique is known as the biometric technique. 
Webster’s dictionary (1978) defined biometrics as “that branch of biology which deals 
with its data statistically and by quantitative analysis”. 

Biometric authentication technology in computer security systems is the automatic 
authentication of an individual on the basis of a unique and measurable physical 
characteristic, such as a fingerprint (Kim, 1995). In biometric systems, a particular 
physical or behavioral characteristic is measured and later is compared to a library of 
characteristics belonging to many people. Biometrics is considered a newcomer by most 
in the access control industry, but the technology has been around for many years 
(Wilson, 1992). There are two types of biometric methods (Deane et al., 1995). The first 
type is based on physiological characteristics such as fingerprints, hand geometry, and 
retina patterns. The second type is the behavioral biometric method which is based on 
some aspect of behavior such as signature, voice, keystroke, and pointing patterns. A 
simple hand geometry measure to identify a person by finger length was developed in the 
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late 1960s and is called the Indentimat. This is the granddaddy of all biometrics. The 
other biometric technologies, fingerprint, voice recognition, retinal scan, keystroke 
dynamics and signature verification, were developed during the 1970s and 1980s. 
(Wilson, 1992). The different kinds of biometric methods will be briefly explained in the 
following paragraphs. 

1. Face 

One biometric method is the use of facial characteristics for identification. To cite 
one example, in the law enforcement business, this technology is used to recognize bank 
robbers, drug dealers, and terrorists in a crowd (Kim, 1995). For physical security 
officers, this method adds to the efficiency of their existing closed-circuit television 
systems. For computer security personnel, this technology could be incorporated by 
adding a small video camera into PCs that would monitor that the users sitting at the 
machine were authorized users. 

The problems with this method is the inherent variances of facial features or 
expressions due to lighting conditions, camera angle, or changes of hair style. This will 
create substantial deviations with the stored “facial print” or template in the computer 
systems and can create errors. To remedy these problems, advance technologies have 
been introduced which include the use of neural network patterns exposed to infrared 
scans of hot spots to detect the most constant features on the face. (Kim, 1995) 
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2. Fingerprints 

The other form of biometrics is the fingerprint-based personal identification 
system used to control access or verify an individual’s identity. Historically, fingerprint 
identification has been used as a primary law enforcement tool, particularly in criminal 
justice organizations (Ellis, 1994). This technology is also very useful for such purposes 
as welfare identification, child-care screening, licensing, refugee identification, 
immigration, prison inmate control, gaining employee background checks, and high- 
security organizations such as defense plants, the military, and increasingly in banks. 
(Wilson, 1992; Russell and Gangemi Sr., 1992) 

Every human being has unique set of fingerprints. Fingerprint verification systems 
examines the unique characteristics of your fingerprints and uses the information to 
determine whether you should be allowed access. The use of fingerprints to identify 
people dates from the late nineteenth century. In the past, manual methods were used to 
classify and cross-check fingerprints according to certain patterns of ridges and whorls - 
in particular, detailed features of the print called minutiae. A fingerprint may have up to 
150 of these minutiae. In the late 1960s, the FBI automated its system for cross-checking 
fingerprints, and all fingerprint checking was converted to automated systems by 1983. 
(Russell and Gangemi Sr., 1992) 

The application of this system usually starts with placing one finger on a glass 
plate. Then the optical scanner, image processing software and sophisticated algorithms 
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electronically read, analyze and compare a user’s “live” fingerprint with a previously 
stored mathematical characterization or template of that fingerprint. 

The fingerprint system digitizes the ridges and other characteristics of the 
fingerprint and compares these characteristics against the fingerprint templates stored in 
the system (or, in more primitive systems, against a print on a card that you carry). The 
system allows access only if your fingerprint sufficiently matches the template. 

The more modem fingerprint verification systems also perform a three- 
dimensional analysis of the fingerprint including infrared mechanisms for ensuring that a 
pulse is present. This means that an intruder can’t gain entry by presenting a mold of an 
authorized user’s finger or, worse still, an authorized finger that’s no longer attached to 
its owner. ( Russell and Gangemi Sr., 1992) 

Fingerprints have several advantages and disadvantages. The characteristics and 
stability of fingerprints are widely accepted, and they are unique in every human being. 
On the other hand, the process is slower than certain other types of biometric 
measurements. In addition, their ability to work properly depends on the condition of the 
fingers being presented. Bums or other physical problems can affect the system’s ability 
to match fingerprints, as can any substance such as the presence on the fingers of such 
materials as dust, perspiration, grease or glue. (Russell and Gangemi Sr., 1992) 

TouchSafe II is a fingerprint verification device from Identix Inc., Sunnyvale, CA. 
This device can be installed on a personal computer and is applicable for computer 
database and network systems. This fingerprint identity verification terminal is designed 
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for access control applications, preventing unauthorized personnel from accessing 
protected data, services or funds. (Indentix Incorporated, 1996) 

3. Hand 

Everybody has unique handprints. Handprint or hand geometry verification 
systems examine the unique measurements of your hand and use that information to 
determine whether you should be allowed access. 

As mentioned earlier, the first version of hand geometry measured the finger 
length to identify a person. To get this measurement, the hand was placed on a flat platen 
and a 1,000 watt overhead lamp projected the shadows of the fingers through slots in the 
platen. Photoelectric cells scanned along the fingers to determine the position of the tips 
and webs, and thus the finger length. This device worked well but was too large, 
expensive and only average in performance. The production of this old version ceased in 
1987. (Wilson, 1992) 

Today, the total hand shape is identified rather than just the finger lengths. This 
technology was initiated by a study conducted by the Air Force in the early 1980’s. 
Since then, the three-dimensional method of hand geometry has been available. A digital 
camera is used to capture a TV-like image of the hand both a top view, which gives 
length and width information, and a side view, which gives a thickness profile. To avoid 
variations of hand positions finger pins are used to properly position the hand on the 
platen. The image captured by the camera is converted into a digital electronic video 
signal that is transferred to the microprocessor memory. This data is represented in 
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memory in much the same way as a picture is printed in a newspaper, as a series of black 
and white dots. Each bit memorized is represented by one dot, or pixel. Approximately 
32,000 pixels of information are analyzed to extract the identifying features of the hand. 
This will represent a template for each computer user. In verifying the identity of a user, 
the live hand picture is computed in the stored template. A small difference between the 
current hand reading and the template indicates a good match. Large differences are 
rejected by the electronic system. (Wilson, 1992) 

Applications of this technology have expanded from the Department of Defense 
(DoD) to major universities, international airports, drug enforcement facilities, student 
dormitories, stock rooms, banks, insurance and financial institutions, manufacturing 
facilities, and hospitals. (Wilson, 1992) 

One example of hand identity verifiers from the commercial market for physical 
access control is the ID3D HandKey from Recognition Systems, Inc. which can add 
“Who You Are” to the existing ID and security systems. This device can operate as a 
complete “stand alone” access control station. It can be used in a network setup or be 
integrated into t hir d party access control systems, e.g. optional card reader. Enrollment is 
fast and with minimum data storage (small nine byte template). (Recognition Systems, 
Inc., 1996) 

4. Eye 

One kind of eye identification is retinal recognition technology. The proponents 
of this technology believe that the eye vascular pattern develops during embryonic 
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growth, stabilizes prior to birth and remains stable throughout life. One example in this 
category is the EyeDentification System 2001 from EyeDentify, Inc. As explained in 
their technical paper, the 2001 retinal recognition technology uses the natural reflective 
and absorption properties of the eye’s retina. When an individual looks at the illuminated 
Green Dot Alignment target, an eye template is acquired from the light naturally reflected 
and absorbed by the retina. The retinal field has 192 data points identified that are used 
as the basis for creating a 96 byte digital template which is called an “eye signature.” 
When a good template is acquired, it is then stored for future recognition or verification 
and is compared to other stored eye templates preventing duplication of data base files. 
(EyeDentify,Inc., 1996) The system will allow access only if your retina pattern 
sufficiently matches that of the one stored for you in the system. 

Newer developments include the measurements of iris and pupil. Hand-held 
devices are being developed for workstation access. 

This technology has been applied to many different fields such as access control, 
information security, research organization, government, banks, restaurants, etc. 

The second kind of eye identification is the iris recognition technology. This 
technology is based on the patterns found in the iris of the human eye. The iris is the 
colored ring that surrounds the central black pupil, and the retina is the sensory 
membrane lining the eye. The difference in technology requires that retinal scanning use 
laser or infra-red beams and iris scanning use the camera lens to capture the iris prints. 
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Applications include: 

• entry and access control 

• computer and network security 

• information access control 

• financial transactions 

• day-care center access control 

• hospitals (IrisScan, 1996) 

One example of commercial devices for iris scan technology is System 2000EAC 
from IriScan. To be identified, the subject simply looks toward the system’s video lens 
from a reasonable distance. The system uses a standard video camera taking 30 frames 
per second with illumination provided by a 20-watt quartz-halogen bulb with a magenta 
filter at seven watts power. To acquire the iris image, the system software determines the 
inner and outer boundaries of the iris, and then identifies and encodes each feature of the 
iris as a multi-scale sequence coefficients, producing a 256-byte code. This code is 
stored in memory as the subject’s template for comparing future recognition. For later 
identification, the user need only present his or her eye to the camera. (IriScan, 1996) 

5. Voice 

Characteristics of vocal and acoustic patterns are unique for each human being. 
Voice verification systems examine the unique characteristics of the human voice. Some 
systems also examine phonetic and linguistic patterns and use that information to 
determine whether one should be allowed access. 

This speaker identification system requires the users to speak a particular phrase. 
The system converts the acoustic strength of a speaker’s voice into component 
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frequencies and analyzes how they are distributed. The system compares the live voice to 
a stored voiceprint. This voiceprint is a “voice signature” constructed by sampling, 
digitizing, and storing several repetitions of a particular phrase. The speaker’s identity is 
verified by comparing stored voice prints of known origin against new samples of speech 
from the person claiming the identity. If the characteristics of the new samples match 
those of the stored prints within acceptable limits, the speaker’s claimed identity is 
accepted. Otherwise, it is rejected. (Russell and Gangemi Sr., 1991) 

This technology is currently used for personal identification in banks, credit 
agencies, service companies, governmental services, telephone fraud prevention, etc. 

One example of the devices available commercially is the Veritel Voice 
Verification system by Veritel corporation. The device is a Veritel board which is a half 
length, standard card that fits into any PC, plus the software to install it. Once the system 
is installed, the system administrator can begin the process of recording and verifying 
voiceprints for registered users. The system can act as the head-end for a wide variety of 
potential applications. Technical implementation of this method is as follows: the 

speaker is first enrolled in the system by capturing specific samples of speech and 
converting the audio to digital PCM (Pulse Code Modulation) using standard 
commercially available voice processing products. The PCM samples are saved on disk. 
When an access is attempted, the speaker is prompted to repeat the original phrase of 
speech and the audio sample is again converted to digital PCM. The two PCM samples 
are compared using a firmware algorithm that runs on the Veritel Voice Verifier Board. 
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The algorithm performs a series of transformations and comparisons such as: convert 
PCM to LPC, convert LPC to Cepstrum Coefficients, and time aligns the two Cepstrum 
representations using a Dynamic Time Warping function. It then compares the aligned 
patterns using a Distance Measure. If the Distance Measure between the two audio 
patterns is less than a selected threshold, access is granted. Otherwise, it is denied. 
(Veritel Corporation, 1996) 

6. Signature 

The use of the signature in our daily life is widely practiced and accepted. It is the 
norm of doing business. We put our signatures on checks issued to make payments, sign 
contracts and agreements. In biometric technology, there are two different methods of 
signature authentication. (Kim, 1995) One method is to compare the signature already 
written with the associated template. The weakness in this method is that the technology 
cannot detect a copied signature. The second method is to analyze signature dynamics. 
This signature verification examines the way a signature is written rather than what it 
looks like after being written. The focus in this second method is to look at the dynamic 
process of writing one’s signature. It is the writing rhythm, contacts on the surface, total 
time, turning points, loops, slopes, velocity and acceleration and converting a signature 
into a set of electrical signals that stores the dynamics of the signing process mentioned 
above. The devices used in signature dynamics technology are wired pens and sensitive 
tablets. (Kim, 1995) The key in the recognition of a signature is to distinguish between 
the habitual parts from those that vary with almost every signing since everybody has a 
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unique signature and signature-writing pattern. Signature verification systems examine 
this unique characteristics of one signature, and the way in which one writes his or her 
signature. The system compares the signature to a signature template stored for users to 
determine whether one should be allowed access. 

One commercial device from Cadix International Inc. is the ID-007 which placed 
no limitation on the styles or types of signatures. Any combination of languages, fonts, 
and handwriting systems is acceptable to the ID-007. This device will encrypt signatures 
to ensure that the individual’s signature cannot be reproduced. Also to increase security, 
PIN numbers can be issued to users when making their signatures. ID-007 will compare 
the user’s signature with signatures in the database as to shape and pen movement to 
determine whether the real person has signed the signature. This step is called “pattern 
matching.” Users’ signatures will change from time to time because of physical changes 
or the passage of time. ID-007 learns the slightly changed signature once ID-007 has 
recognized that it is the authorized user. One signature takes about 1.5 K bytes. For 
instance, 40M bytes hard disk on a personal computer can keep more than 20,000 
signatures. Data size is independent of signature size, shape, or writing time. Several 
sampling are required to make the signature registration. Verification time is about 1 
second. (Cadix Research & Development, 1996) 
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7. Typing Rhythms 

Everybody has a unique pattern or rhythm of typing. Keystroke verification 
systems examine the unique characteristics of users keystrokes (users electronic 
signature) and use that information to determine whether you should be allowed access. 

This technology is very similar to signature verification discussed earlier. 
Templates are being created and analyzed based on information such as the users’ time 
that elapses between keystrokes, forming unique timing patterns. Users are required to 
generate a keyboard reference profile or template which will be used at a later date for 
verification and compare to the test profile. If large differences occur between these two 
profiles then the user involved is prevented from access. The goal is to determine 
whether you are, in fact, the person working at your workstation and under your account, 
or whether an intruder has gained access. This surveillance of work habits has raised 
right of privacy issues. 

8. Summary 

Biometrics technology can enhance and complement any organization’s existing 
security system to provide a higher level of confidence by using physical characteristics 
that are unforgeable. 

This technology offers solutions for user identification or authentication. 
Examples of such concerns are welfare recipients who sign up for benefits under six 
identities, a child is released to a stranger from a day care center, a hacker accesses 
sensitive databases or a counterfeiter makes copies of bank cards. Biometrics has become 
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the most foolproof method of automated personal identification in today’s highly 
computer dependent world and continues to be in great demand. (Kim, 1995) 

However, computer security managers should be aware that along with the 
strength of biometrics technology, proper assessments and applications are needed and 
should be the initial step prior to implementation. 

Implications of the use of biometrics technology can include: user acceptance, 
performance, cost, speed, security loopholes, danger of misuse, legal aspects. (Kim, 
1995). 

To be broadly acceptable, biometric techniques must be legally safe to use, have 
regard for the user’s privacy, and avoid those that are socially unacceptable. (Kim’s, 
1995) For example a fingerprinting scanner is associated with criminal overtones, while 
hand recognition is more associated with handshaking. Dynamic signature recognition is 
acceptable due to the already wide use of signatures as personal identification. When 
literacy rates are low, other methods such as voice, face or hand recognition may be more 
appropriate. 

In terms of performance biometric applications are prone to two types of errors: 
rejection of an authorized user, or the incorrect acceptance of an unauthorized user. To 
produce optimum performance, adjustments of threshold settings for acceptance and 
rejection are necessary. 
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As in any investment, cost is one area to be considered. Does the benefit outweigh 
the cost? This question should consider operating costs, such as maintenance and 
training. 

Verification time is another factor to be taken into account. Biometric 
verifications which involve several seconds are considered slow when compared to other 
methods such as password and ID verification. 

Security loopholes are still the major concerns, especially during remote log-ons, 
where information is sent to the host computer for comparison with the stored template. 
Kim believes there are at least two potential weaknesses in this case. One is related to the 
database with the templates and the other to the transmission of the biometric reading. If 
stolen, the identity of authorized users cannot be changed as the password method could. 

There is no questions that biometrics technology has been very popular around the 
world, for both the government and private sectors. This too has raised concerns over the 
legality of sharing private information from government or industry with third parties. It 
is important that individuals have ownership rights to their personal data. Hence they 
should be informed about data collection and have the right to decline the use of data by 
third parties. (Tuerkheimer, 1993) International conventions state that data should not be 
used for purposes other than the original purpose of collection, except with the authority 
of law or the consent of the individual (Clark, 1988). 

In terms of cost, effectiveness, and human acceptance, the following table is 
presented as a guideline. (Rowe, 1996) 
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Table 5.1. Comparison of Various Verification Methods 
(Ratings on scale of 1 to 10: 10 is best) 



Method 


Cost 


Effectiveness 


Human 

Acceptance 


Password 


1 


2 


8 


Smart card 


3 


4 


7 


Fingerprint 


7 


8 


6 


Handprint 


7 


7 


5 


Retinal scan 


8 


10 


4 


Iris scan 


8 


9 


6 


Face 


9 


5 


8 


Body form 


5 


3 


7 


Signature (written) 


8 


2 


9 


Signature (dynamic) 


8 


8 


7 


Keystrokes 


3 


5 


9 


Voice 


9 


5 


8 



Like other matters in life, controversial results of research work exists in any field. 
One study intending to reveal the perceived acceptability of biometric security systems by 
a sample of banking and university staff was conducted by Deane et. al. (1995) The 
results from 76 respondents indicated that all biometric systems were perceived as less 
acceptable than the traditional password approach. Contrary to expectation, it was found 
that behaviorally based biometric systems were perceived as less acceptable than 
physiologically based systems. There is a positive relationship between acceptability and 
sensitivity of information. Conversely, the password method has negative relationship 
between the acceptability and sensitivity. 

In closing this biometric discussion, success of implementation will still rely on 
proper assessment, planning, and training awareness programs. 
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VL ORANGE BOOK EVALUATION (DoD 5200.28-STD) 



The Orange Book Operating System Security Standard was published by the U.S. 
Department of Defense in 1985 (Melford, 1995). It came about as a consequence of 
increasing security consciousness on the part of the government and industry and the 
growing need for standards for the purchase and use of computers by the federal 
government. The need to quantify security or to measure trust was the primary motive 
behind development of this guidebook. It is useful for commercial vendors who develop 
secure systems to fulfill requirements stipulated by the government requisition office 
which has tied computer equipment purchases to Orange Book certification. 

The objectives of Orange book are: 

1. For measurement. 

2. For guidance. 

3. For acquisition. (Russell and Gangemi Sr. 1992) 

Measurement: to provide users with a measurement with which to assess the 
degree of trust that can be placed in computer systems for the secure processing of 
classified or other sensitive information. For example, a user can rely on a B2 system to 
be “more secure” than a C2 system. 

Guidance: to provide guidance to manufacturers as to what to build into their 
commercial products to satisfy trust requirements for sensitive applications. 

Acquisition: to provide a basis for specifying security requirements in acquisition 
specifications. Rather than specifying a hodgepodge of security requirements, and having 
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vendors respond in piecemeal fashion, the Orange Book provides a clear way of 
specifying a coordinated set of security functions. A customer can be confident that the 
system he or she acquires has already been checked out for the needed degree of security. 
(Russell and Gangemi, Sr., 1992) 

As the Orange Book puts it, the criteria “constitute a uniform set of basic 
requirements and evaluation classes for assessing the effectiveness of security controls 
built into the various systems.” 

The Orange book defines four broad hierarchical divisions of security protection. 

In increasing order of trust, they are: 

D. Minimal security 

C. Discretionary protection 

B. Mandatory protection 

A. Verified protection 

Each of these hierarchy levels define a set of evaluation criteria to ensure that an 
operating system completely carries out the controls (see Table 6.1). 

Each class is defined by a specific set of criteria that a system must meet to be 
awarded a rating in that class. The criteria fall into four general categories: security 
policy, accountability, assurance, and documentation. (Rowe, 1996) 
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Table 6.1. The Orange Book Trusted-System Classes 



Feature 


Cl 


C2 


B 1 


B2 


B3 


Al 


discretionary access control 


X 


X 


s 


s 


X 


s 


object reuse 


- 


X 


s 


s 


s 


s 


labels 


- 


- 


X 


X 


s 


s 


label integrity 


- 


- 


X 


s 


s 


s 


exporting information 


- 


- 


X 


s 


s 


s 


labeling of output 


- 


- 


X 


s 


s 


s 


mandatory access controls 


- 


- 


X 


X 


s 


s 


subject sensitivity labels 


- 


- 


- 


X 


s 


s 


device labels 


- 


- 


- 


X 


s 


s 


identification and authentication 


X 


X 


X 


s 


s 


s 


audit 


- 


X 


X 


X 


X 


s 


trusted path 


- 


- 


- 


X 


X 


s 


system architecture 


X 


X 


X 


X 


X 


s 


system integrity 


X 


s 


s 


s 


s 


s 


security testing 


X 


X 


X 


X 


X 


X 


design specification and verification 


- 


- 


X 


X 


X 


X 


covert channel analysis 


- 


- 


- 


X 


X 


X 


trusted facility management 


- 


- 


- 


X 


X 


s 


configuration management 


- 


- 


- 


X 


s 


X 


trusted recovery 


- 


- 


- 


- 


X 


s 


trusted distribution 


- 


- 


- 


- 


- 


X 


user’s guide to security 


X 


s 


s 


s 


s 


s 


facility security manual 


X 


X 


X 


X 


X 


s 


test documentation 


X 


s 


s 


X 


s 


X 


design documentation 


X 


s 


X 


X 


X 


X 



(x = requirements for this class; s = same requirements as to left) 



Each division consists of one or more numbered classes, with higher numbers 
indicating a greater degree of security. For example, division C contains two distinct 
classes (C2 offers more security than Cl). The C2 level is today’s de facto commercial 
IS security standard. It adds auditing facilities to the basic Cl requirements of a system 
security architecture, user authentication, and security documentation. Division B 
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contains three classes (B3 offers more security than B2, which offers more security than 
Bl). B-level requirements add advanced privacy protection facilities; division A 
currently contains only one class. A1 levels reflect the government’s most sensitive 
national security needs. Requirements include copious vendor documentation and costly 
and extensive testing beyond B3 demands by the National Computer Security Center. 

Ongoing debates about the Orange Book are many and this guide will undergo 
revision in the future with the changing of technologies. But now it is still the standard 
for secure systems. Some of the debates have evolved in the following areas: 

1. The model works only for government classified environment and is not 
appropriate for the protection of commercial data where data integrity is the 
chief concern. 

2. It focuses on only one aspect of security, namely secrecy, while paying little 
attention to the principles of accuracy, availability and authenticity. 

3. It emphasizes protection from unauthorized access from outside, while most 
security attacks actually involve insiders. 

4. The guidelines do not address networking issues. (Another book called the 
Red book addresses this issue) 

5. It contains only a small number of security ratings. (Russell and Gangemi, 
Sr., 1991) 

Vendors can submit their operating system for free compliance testing for A and B 
level security to the NCSC. The center has discontinued evaluating C-level operating 
systems due to budgetary constraints. A few vendors choose to submit their commercial 
offerings because of the time involved- a new version is usually out before the evaluation 
is complete. Instead, most vendors design their operating systems “to meet” Orange 
Book requirements. (Melford, 1995) 
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VII. CONCLUSION 



The future of access control techniques is now one of positive progress and 
development for the computer security industry. These advanced authentication 
mechanisms have become popular and widely used due to their high degree of accuracy 
and security. 

As postulated in this survey, the traditional password is still the common means of 
authentication for the user. This paper concludes that passwords can be a strong 
component and basis of user authentication but that other advanced authentication 
mechanisms can be even more efficient and sophisticated such as tokens, smart cards, 
challenge response systems, and biometrics recognition techniques. 

For the future, it appears that biometrics will become more popular as technology 
makes the cost of implementing these sophisticated verification methods more affordable. 
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APPENDIX A. PRODUCT LIST 



Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 


Biometrics 

Access-control hardware, fingerprint identification 
TouchLan n 

Access control for network from a host computer 
Identix Incorporated 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 


Biometrics 

Access-control hardware, fingerprint identification 
TouchSafe II 

Fingerprint identity verification for stand-alone or network configurations. 
Identix Incorporated 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 


Biometrics 

Access-control hardware, hand geometry identification 
ID3D HandKey 

Add “Who You Are” to your ID and security systems. 
Recognition Systems, Inc. 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 


Biometrics 

Access-control hardware, iris identification 
IriScan’s System 2000EAC 

Biometric identification technology for entry and access control, computer and 
network security. 

IriScan 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 


Biometrics 

Access-control hardware, retinal recognition 
System 2001 Retinal Recognition 
Applicable for access control and information security. 
EyeDentify inc. 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 


Biometrics 

Access-control hardware, signature identification 
ID-007 

Signature verification to identify a person. 

Cadix International, Inc. 
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Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 



Supplier Name: 



Biometrics 

Access-control hardware, voice/signature verification 
Veritel Voice Verification System 

Biometrics based access security method in which a speaker’s identity is verified 
by comparing stored voice prints of known origin against new samples of speech 
from the person claiming the identity. 

Veritel Corporation 

Challenge-response 
Access-control hardware 
AccessKey El 

Challenge/response methodology for two-factor authorization security. 

Vasco Data Security Inc. 

Challenge-response 
Access-control hardware 
Multi-Platform Access Control System 

Offers both single-line (SLC) and multi-line (MLC) solutions for maximizing 
computer and network access control systems. 

CRYPTOCard, Inc. 



Challenge-response 
Access-control software 
Stoplight 

Security for PCs and LANs. 
Safetynet, Inc. 



Challenge-response, password 
Access-control software (token) 

LOCKout 

Solves organization’s remote access security problems. Password protection is 
replaced with a unique, one-time challenge response technique using the 
LOCKout Data Encryption Standard (DES) solution. LOCKout Fortezza is a key 
component of the National Security Agency’s MOSAIC program for secure 
Department of Defense messaging. It meets the needs of civilian and military 
government agencies who require the protection of sensitive but unclassified 
information. 

Secure Computing Corporation 
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Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 



Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 



Password 

Access-control hardware 
DK1125 

Installed at the remote site between the user’s PC and the modem for dial in 
remote user authentication to Security Systems. 

Optimum Electronics, Inc. 

Password 

Access-control hardware 
IDG-9102 Intelligent Data Guard 

Limiting access to dialup ports. Provides security for dialup modems in computer 
rooms, office environments, and telephone equipment rooms. The modem cannot 
be detected by hackers as carrier is not placed on the line nor is there any screen 
dialogue until the correct password has been received. The Intelligent Data 
Guard (IDG) will become the first line of defense because any unauthorized caller 
will never obtain carrier. 

Intelligent Supervisory Systems 
Password 

Access-control hardware 
SafeWord Token 
Password generators. 

Enigma Logic 

Password 

Access-control software 
Access Manager 

Provides single sign-on user authentication and access control. 

Enterprise Systems ICL Inc. 

Password 

Access-control software 
ACSplus 

Stops unauthorized access to workstations. 

SecureNet Technologies Inc. 

Password 

Access-control software 
cypherPAD 

Drive locking, computer privacy system for Macintoshes. 

UsrEZ Software Inc. 
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Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 


Password 

Access-control software 
D-View 

Provides password protection and Simple Network Management Protocol 
(SNMP) community name to prevent unauthorized access or manipulation of the 
devices on the network. 


Supplier Name: 


D-Link 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 


Password 

Access-control software 
Defender Security Server 

Runs on government-certified secure operating system. 
Digital Pathways, Inc. 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 


Password 

Access-control software 
E-NSI 

Operates in the MVS environment with all major security systems to permit 
seamless password authentication with multiple IBM AIX and AT&T UNIX 
systems. Interfaces with the AIX 3270 Host Connection Program, or TELNET 
and tn3270 on the server system to provide end-user authentication on the MVS 
host. 


Supplier Name: 


Eberhard Klemens Company 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 


Password 

Access-control software 
EasySafe 

Security and encryption product designed specifically for notebook use. 
EliaShim-Safe Software 


Authentication Method(s): 
Device(s): 
Product Name: 


Password 

Access-control software 
Empower 


Product Features: 


Security software for Macintosh, Power Macintosh, PowerBook, or Proforma 
computers. 


Supplier Name: 


Magna 
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Authentication Method(s): 
Device(s): 
Product Name: 


Password 

Access-control software 
ETF/T 


Product Features: 


For CA-Top Secret, allows controlled usage of special privileges during an 
emergency situation. 


Supplier Name: 


Eberhard Klemens Company 


Authentication Method(s): 
Device(s): 
Product Name: 


Password 

Access-control software 
FileGuard 


Product Features: 
Supplier Name: 


Access control security management for Macintosh systems. 
ASD Software, Inc. 


Authentication Method(s): 
Device(s): 
Product Name: 


Password 

Access-control software 
Guardian 


Product Features: 


Access security for UNIX. Requires users to change passwords on a regular 
basis, generate easily remembered passwords. 


Supplier Name: 


Datalynx 


Authentication Method(s): 
Device(s): 
Product Name: 


Password 

Access-control software 
MasterSafe 


Product Features: 


Access control and management system designed to protect DOSAVindows 
workstation from unauthorized access to programs or data in a stand-alone, 
networked, or client/server environment. C2 compliant. 


Supplier Name: 


EliaShim-Safe Software 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 


Password 

Access-control software 
METZ Lock 

Protects against unwanted input from both keyboard and mouse. 
METZ Software 


Authentication Method(s): 
Device(s): 
Product Name: 


Password 

Access-control software 
Password Coach 


Product Features: 


Provides consistent enforcement of policies which require users to create difficult- 
to-guess, yet easy-to-remember passwords. 


Supplier Name: 


Baseline Software 
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Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 



Password 

Access-control software 
Password Genie 

Automatically generates passwords which have been screened with weak or 
easily-guessed password tests. 

Baseline Software 
Password 

Access-control software 
SafeWord Software 

Provides enhanced network authentication and ease of access to local and wide 
area networks via Dynamic Passwords that change with every log-on. 

Enigma Logic 
Password 

Access-control software 
Security Administration Manager 

To help system administrator in keeping information security under control. 
Internal SAM security mechanisms guarantee consistent and controlled security 
definitions for all integrated target systems at all times. 

Schumann Security Software Inc. 

Password 

Access-control software 

SQL SECURE/Client Server Database Security 

For security and database administrator to manage all aspects of client/server 
database user authentication and security auditing. 

BrainTree Technology, Inc. 

Password 

Access-control software 
Trusted Access 

Password management for automatic policy enforcement. 

Lassen Software, Inc. 

Password 

Access-control software 
ultraCOMMAND 

Network management and security administration system for the Macintosh. 
UsrEZ Software Inc. 
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Authentication Method(s): 


Password 


Device(s): 


Access-control software 


Product Name: 


ultraSHIELD 


Product Features: 


Password managed computer access control for Macintosh. 


Supplier Name: 


UsrEZ Software Inc. 


Authentication Method(s): 


Password 


Device(s): 


Access-control software 


Product Name: 


Workstation Manager Plus 


Product Features: 


A comprehensive workstation control and security product. Available for stand 
alone workstations and for Novell NetWare. 


Supplier Name: 


PC Guardian 


Authentication Method(s): 


Password, callback 


Device(s): 


Access-control hardware 


Product Name: 


Modem Security Enforcer 


Product Features: 


Security for dial-up modems on in-house computer systems, LAN and WAN 
network nodes, PBX maintenance posts, station message detail recording devices. 


Supplier Name: 


IC Engineering, Inc. 


Authentication Method(s): 


Password, caller ID 


Device(s): 


Access-control hardware 


Product Name: 


IDG-9100 Intelligent Data Guard 


Product Features: 


Uses Caller ID to deny access to unauthorized callers by preventing the ring 
signal from reaching the modem unless the telephone number of the calling party 
matches one of the numbers in the user-programmable directory. 


Supplier Name: 


Intelligent Supervisory Systems 


Authentication Method(s): 


Password, certificate-based 


Device(s): 


Access-control software 


Product Name: 


Secure Access System 


Product Features: 


For remote users and tools for network administrators. Security features include: 
access control, authentication, integrity and privacy. Uses digital certificate 
authentication and access. 


Supplier Name: 


Cylink 


Authentication Method(s): 


Password, Challenge-response 


Device(s): 


Access-control hardware 


Product Name: 


Defender Series 


Product Features: 


Controls user access by time-of-day or length of session. 


Supplier Name: 


Digital Pathways, Inc. 
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Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 



Password, Challenge-response 
Access-control hardware (token) 

RB-1 token 

Access control security, interoperable (Mainframe, midrange, LAN, PCs). 
CRYPTOCard, Inc. 

Password, Challenge-response 
Access-control hardware/smart disk 
SB-1 

Provides access control for IBM compatible PCs, protection of hard disk data, 
remote multi-platform hosts. 

CRYPTOCard, Inc. 

Password, Challenge-response 
Access-control software 
Software Secure Net Keys 

User authentication tools, employ Data Encryption Standard (DES) algorithm to 
generate unique, one time passwords. 

Digital Pathways, Inc. 

Password, dial back 
Access-control software 
CoSecure 

Modem security software with dial-back capability. 

CoSystems 

Password, encryption 
Access-control hardware 
PathKey Domain Series 

Delivers automatic and transparent remote access security services to larger, 
dynamically growing user environments. 

Paralon 

Password, encryption 
Access-control hardware 
PathKey Series 

Offers authentication and data encryption capabilities for small-to-medium sized 
workgroups (under 500 nodes), and operates in peer-to-peer or Client/Server 
configurations. 

Paralon 
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Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 



Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 



Password, encryption 

Access-control software 

BoKs Access Control System 

Security for a Local Area Network or an Enterprise. 

Securix 

Password, encryption 
Access-control software 
LJK/Login 

Single authentication action will validate end-users for exchanging data with all 
the servers for which they are authorized access. Servers rely on public key 
signatures for proof of user identity. 

LJK Software 



Password, encryption 
Access-control software 
ProGuard 

For single PC protection and environments where multiple users share 
computers. 

Vasco Data Security Inc. 



Password, encryption 
Access-control software 
ultraSECURE 

Access management security software for Macintosh. Password controlled 
computer access control. Specialized versions available to authorized entities of 
the U.S. Government. Compliant Class C2, Defense Trusted Computer System 
Evaluation Criteria (DoD 5200.28-STD). 

UsrEZ Software Inc. 



Password, ID 
Access-control software 
OmniGuard/Enterprise Access Control (EAC) 

Supplements existing security and access controls in UNIX clients, and provides 
complete security protection for PC and PC/LAN environments. 

Axent Technologies, Inc. 
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Authentication Method(s): 
Device(s): 
Product Name: 


Password, ID 
Access-control software 
OmniGuard/Enterprise SignOn (ESO) 


Product Features: 


Network-wide user administration, identification, and authentication tool. 
Enables users to log on to the network and automatically gain secure access to 
heterogeneous platforms without multiple log-ins. 


Supplier Name: 


Axent Technologies, Inc. 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 


Password, token 
Access-control software 
CA-TOP SECRET/PC 

Secures personal computers that are network-connected to a central IBM MVS 
mainframe. Also available CA-TOP SECRET for the VM environment. 


Supplier Name: 


Computer Associates International 


Authentication Method(s): 
Device(s): 
Product Name: 


Password, trusted systems technologies 

Access-control software 

The Argus Bl/CMW, C2/TMW 


Product Features: 


Advanced trusted UNIX operating system technology that provides Multilevel 
Security (MLS) for PCs, workstations, and servers. 


Supplier Name: 


Argus Systems Group, Inc. 


Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 


Password, trusted systems technologies 

Access-control software 

DECAF (Version 1.1, for Solaris 2.x) 

Quarantine sensitive, personal, mission critical resources of all kinds. User 
installable, generic system security utility for creating secure execution 
environments for Java applets, and other network-borne applications or agents. 


Supplier Name: 


Argus Systems Group, Inc. 


Authentication Method(s): 
Device(s): 
Product Name: 


Password, two-levels 
Access-control software 
DiskGuard 


Product Features: 


Security (hard-disk) protection for the Macintosh system which uses two 
password levels. 


Supplier Name: 


ASD Software, Inc. 
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Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 



Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 



Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 



Passwords, ID, and Pager combination 
Access-control software 
Pager Access Module 

Uses any standard digital display pager to provide direct dial authentication for 
secured remote network access. The logic is, if you KNOW the correct ED & 
Password combination, and you HAVE the right pager, it must be you. 

MicroFrame 



Smart Card 

Access-control hardware 
International SmartCard Reader 

Adaptable to a variety of popular international SmartCard standards and provides 
an alternative to AccessKey technology for user authentication. 

Vasco Data Security Inc. 

Smart Card 

Access-control hardware 
Model 10SM, 300, 350, 500 

Token-based information security product. Security services include: 
authentication, confidentiality, integrity, and non-repudiation. Can be used by 
organizational management, LAN administrators, system administrators, security 
officers, LAN users. 

Datakey 



Smart Card 

Access-control hardware 
PCSS Plus 

Personal Computer Security System that protects personal computer and network 
by positively identifying users before they gain access to the system. PCSS Plus 
identifies its users by way of smart cards and smart card reader/writer (desktop 
PCs). 

Personal Cipher Card Corporation 



Token 

Access-control hardware 
National Fortezza Crypto Card 

High performance data security token designed to meet the requirements of the 
U.S. Department of Defense’s new Defense Message System (DMS). The DMS 
will handle “unclassified but sensitive” e-mail. 

National Semiconductor Corporation 
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Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 

Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 

Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 



Token 

Access-control hardware 
PersonaCard 100 Series 

Security functions include: privacy, verification, digital signature and 
authentication. 

National Semiconductor Corporation 
Token 

Access-control software 
SOFTKEY 

For laptops, notebooks, or personal computers. Serves as the user’s “have 
something”. 

Optimum Electronics, Inc. 

Token (in-line token) 

Access-control software 
SofKEY 

A software security module that converts any MS-DOS based PC or Laptop into a 
“Direct Dial” positive user authentication token. 

MicroFrame 

Token (off-line token), password 
Access-control hardware 
PassKEY II 

A pocket sized positive user authentication token that generates a “one-time” 
password unique to each user & different for each use. 

MicroFrame 

Token based 
Access-control hardware 
Secure ID tokens 

Access-control tokens carried by authorized users. 

Security Dynamics 

Token based 
Access-control software 
ACE/Server 

Security software for client/server network 
Security Dynamics 



52 



Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 



Token based 

Access-control software, hardware 
Access Control Module (ACM) 

Security software or hardware for host-based access control 
Security Dynamics 



Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 



Token, Challenge-response 
Access-control hardware 
Access Key I & II 

Handheld token which can optically read a flashing pattern challenge. 
Optimum Electronics, Inc. 



Authentication Method(s): 
Device(s): 
Product Name: 
Product Features: 
Supplier Name: 



Token, random password generator 
Access-control hardware 
PAScard 

Random password generating token to authenticate users. 
Optimum Electronics, Inc. 
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Supplier Name: 
Contact Name: 
Contact Title: 
Address: 

Phone Number: 
Fax Number: 
E-Mail: 

Supplier Name: 
Contact Name: 
Contact Title: 
Address: 

Phone Number: 
Fax Number: 
E-Mail: 

Supplier Name: 
Contact Name: 
Contact Title: 
Address: 

Phone Number: 
Fax Number: 
E-Mail: 

Supplier Name: 
Contact Name: 
Contact Title: 
Address: 

Phone Number: 
Fax Number: 
E-Mail: 



APPENDIX B. SUPPLIER LIST 



Argus Systems Group, Inc. 


Supplier Name: 


BrainTree Technology, Inc. 


Mary P. Sandone 


Contact Name: 


Paul B. Currier 


Office Manager 


Contact Title: 


Sales Representative 


1405 A East Florida Avenue 
Urbana, IL 61801 


Address: 


62 Accord Park Drive 
Norwell, MA 02061 


(217)384-6300 


Phone Number: 


(617)982-0200 


(217)384-6404 


Fax Number: 
E-Mail: 


(617)982-8076 


ASD Software 


Supplier Name: 
Contact Name: 
Contact Title: 


Cadix International, Inc. 


4650 Arrow Highway, Suite E6 
Montclair, CA 91763 
(909)624-2594 


Address: 


5000 Birch Street, East Tower, 
Suite 2 10 

Newport Beach, CA 92660 


(909)624-9574 


Phone Number: 


(714)476-3611 


102404.3630@compuserve.com 


Fax Number: 
E-Mail: 


(714)476-3671 


Axent Technologies, Inc. 
John C. McCurdy 


Supplier Name: 


Computer Associates 
International 


Senior Account Manager 


Contact Name: 


Siki Giunta 


2155 N. Freedom Blvd. 


Contact Title: 


Bus. Unit Executive 


Provo, UT 84604 
(801)227-3718 


Address: 


One Computer Associates Plaza 
Islandia, NY 11788 


(801)227-3781 


Phone Number: 


(516)342-2261 


johmcc@axent.com 


Fax Number: 
E-Mail: 


(516)342-5329 


Baseline Software 
P. O. Box 1219 


Supplier Name: 
Contact Name: 
Contact Title: 


CoSystems 

SamNg 

Director of Business 
Development 


Sausalito, CA 94966 
(415)332-7763 


Address: 


1263 Oakmead Parkway 
Sunnyvale, CA 94086 


(415)332-8032 


Phone Number: 


(408)522-0507 


3 143490@mcimail.com 


Fax Number: 
E-Mail: 


(408)720-9114 

samng@cosystems.com 
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Supplier Name: 


CRYPTOCard, Inc. 


Supplier Name: 


Digital Pathways, Inc. 


Contact Name: 


D. Wade Clark 


Contact Name: 




Contact Title: 


VP, Sales & Marketing 


Contact Title: 




Address: 


1649 Barclay Blvd. 


Address: 


20 1 Ravendale Drive 




Buffalo Grove, IL 60089 




Mountain View, CA 94043 


Phone Number: 


(847)459-6500 


Phone Number: 


(415)964-0707 


Fax Number: 


(847)459-6599 


Fax Number: 


(415)961-7487 


E-Mail: 


token@cryptocard.com 


E-Mail: 




Supplier Name: 


Cylink 


Supplier Name: 


Eberhard Klemens Company 


Contact Name: 


Pat Confer 


Contact Name: 


Susan J. Steiner 


Contact Title: 


Area Manager 


Contact Title: 


Administrative Assistant 


Address: 


910 Hermosa Court 


Address: 


10400 W. Higgins Road 




Sunnyvale, CA 94086 




Rosemont, IL 60018 


Phone Number: 


(408)735-5872 


Phone Number: 


(847)296-8010 


Fax Number: 


(408)735-6685 


Fax Number: 


(847)296-8016 


E-Mail: 


patc@cylink.com 


E-Mail: 




Supplier Name: 


D-Link 


Supplier Name: 


EliaShim-Safe Software 


Contact Name: 




Contact Name: 




Contact Title: 




Contact Title: 




Address: 


5 Musick 


Address: 


One South West 129 Avenue, 




Irvine, CA 92718 




Suite 105 


Phone Number: 


(714)455-1688 




Pembroke Pines, FL 33027 


Fax Number: 


(714)455-2521 


Phone Number: 


(305)450-9611 


E-Mail: 




Fax Number: 


(305)450-9612 






E-Mail: 




Supplier Name: 


Datakey 


Supplier Name: 


Enigma Logic 


Contact Name: 


Michael A. Locquegnies 


Contact Name: 


Thomas J. Brady 


Contact Title: 


Dir. Of Marketing & Sales, 


Contact Title: 


VP Sales & Worldwide 




Information Security Solutions 




Distribution 


Address: 


407 West Travelers Trail 


Address: 


2151 Salvio Street, Suite 201 




Burnsville, MN 55337 




Concord, CA 94520 


Phone Number: 


(612)890-6850 


Phone Number: 


(510)827-5707 


Fax Number: 


(612)890-2726 


Fax Number: 


(510)827-2593 


E-Mail: 




E-Mail: 


sales@safeword.com 


Supplier Name: 


Datalynx 


Supplier Name: 


Enterprise Systems ICL Inc. 


Contact Name: 




Contact Name: 


Richard A. Gill 


Contact Title: 




Contact Title: 


Account Manager 


Address: 


6633 Convoy Court 


Address: 


1 1490 Commerce Park Drive 




San Diego, C A 92111 




Reston, VA 22091 


Phone Number: 


(619)560-8112 


Phone Number: 


(703)648-3357 


Fax Number: 


(619)560-8114 


Fax Number: 


(703)648-3350 


E-Mail: 


datalynx@netcom.com 


E-Mail: 


r.gill@reston.icl.com 
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Supplier Name: 


EyeDentify inc. 


Supplier Name: 


Lassen Software, Inc. 


Contact Name: 


Buddy Boyett 


Contact Name: 


Gary Blackman 


Contact Title: 


VP, Business Development 


Contact Title: 


Sales Manager 


Address: 


10473 Old Hammond Hwy. 
Baton Rouge, LA 70816 


Address: 


1835-A South Center City 
Parkway 


Phone Number: 




Escondido, CA 92025 


Fax Number: 


(504)927-4290 


Phone Number: 


(619)737-3190 


E-Mail: 


(504)927-5385 


Fax Number: 


(619)737-0145 






E-Mail: 


76704, 40@compuserve.com 


Supplier Name: 


IC Engineering, Inc. 


Supplier Name: 


LJK Software 


Contact Name: 




Contact Name: 




Contact Title: 




Contact Title: 




Address: 


P.O. Box 321 


Address: 


One Kendall Square, Suite 2200 




Owings Mill, MD 21117 




Cambridge, MA 02139 


Phone Number: 


(410)363-8748 


Phone Number: 


(617)558-3270 


Fax Number: 




Fax Number: 


(617)558-3274 


E-Mail: 




E-Mail: 


Sales@LJK.com 


Supplier Name: 


Identix Incorporated 


Supplier Name: 


Magna 


Contact Name: 


Anna C. Stockel 


Contact Name: 




Contact Title: 


Director, Fingerprint 


Contact Title: 






Identification Products 


Address: 


1999 So. Bascom Ave., Suite 810 


Address: 


510 N. Pastoria Avenue 




Campbell, CA 95008 




Sunnyvale, CA 94086 


Phone Number: 


(408)879-7900 


Phone Number: 


(408)739-2000 


Fax Number: 


(408)879-7979 


Fax Number: 


(408)739-3308 


E-Mail: 


magna@cup.portal.com 


E-Mail: 


anna@identix.usa.com 






Supplier Name: 


Intelligent Supervisory Systems 


Supplier Name: 


METZ Software 


Contact Name: 




Contact Name: 


Art Metz 


Contact Title: 




Contact Title: 


Sales Representative 


Address: 


6045 Augusta National Drive, 


Address: 


P.O. Box 6699 




Suite 300 




Bellevue, WA 98008 




Orlando, FL 32822 


Phone Number: 


(206)641-4525 


Phone Number: 


(407)240-5543 


Fax Number: 


(206)644-6026 


Fax Number: 




E-Mail: 


CompuServe:75300, 1627 


E-Mail: 


donniea@aol.com 






Supplier Name: 


IriScan 


Supplier Name: 


MicroFrame 


Contact Name: 


Kelly L. Gates 


Contact Name: 




Contact Title: 


Marketing Manager 


Contact Title: 




Address: 


133-Q Gaither Drive 


Address: 


21 Meridian Road 




Mt. Laurel, NJ 08054 




Edison, NJ 08820 


Phone Number: 


(609)234-7977 


Phone Number: 


(908)494-4440 


Fax Number: 


(609)234-4768 


Fax Number: 


(908)4944570 


E-Mail: 


iriscan@aol.com 


E-Mail: 
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Supplier Name: 


National Semiconductor 


Supplier Name: 


Recognition Systems, Inc. 




Corporation 


Contact Name: 




Contact Name: 


Larry Van Valkenburgh 


Contact Title: 




Contact Title: 


Dir., Channel Development, 
LPower Business Unit 


Address: 


1520 Dell Avenue 


Address: 


1090 Kifer Road, Mail Stop 




Campbell, CA 95008 




16-225 


Phone Number: 


(408)364-6960 




Sunnyvale, CA 94086 


Fax Number: 


(408)370-3679 


Phone Number: 


(408)721-5087 


E-Mail: 




Fax Number: 


(408)245-7906 






E-Mail: 


lany@ipower.nsc.com 






Supplier Name: 


Optimum Electronics, Inc. 


Supplier Name: 


Safetynet, Inc. 


Contact Name: 


Charlotte Rebeschi 


Contact Name: 




Contact Title: 


Marketing Administration 


Contact Title: 




Address: 


425 Washington Avenue 


Address: 


140 Mountain Avenue 




North Haven, CT 06473 




Springfield, NJ 07081 


Phone Number: 


(203)239-6098 


Phone Number: 


(800)672-7233 


Fax Number: 


(203)234-9324 


Fax Number: 




E-Mail: 




E-Mail: 


safety@safe.net 


Supplier Name: 


Paralon 


Supplier Name: 


Schumann Security Software, 


Contact Name: 


Jacklen Evans 




Inc. 


Contact Title: 


Account Representative 


Contact Name: 


Amy Leith 


Address: 


3650 131st Avenue SE, Suite 210 


Contact Title: 


Sales/Marketing Associate 




Bellevue, WA 98006 


Address: 


312 Marshall Avenue, Suite 400 


Phone Number: 


(206)641-8338 




Laurel, MD 20707 


Fax Number: 


(206)641-1347 


Phone Number: 


(301)483-8807 


E-Mail: 




Fax Number: 


(301)483-8349 






E-Mail: 


1022 14.2404@compuserve.com 


Supplier Name: 


PC Guardian 


Supplier Name: 


Secure Computing Corporation 


Contact Name: 


Dan J. Gannett 


Contact Name: 


Roy Lewis 


Contact Title: 


Regional Sales Manager 


Contact Title: 


Sales Representative 


Address: 


1 133 Francisco Blvd. E., Suite D 


Address: 


2675 Long Lake Road 




San Rafael, CA 94901 




Roseville, MN 55113 


Phone Number: 


(415)459-0190 


Phone Number: 


(612)628-6243 


Fax Number: 


(415)459-1162 


Fax Number: 


(612)628-2701 


E-Mail: 


pcguard@ix.netcom.com 


E-Mail: 


rlewis@sctc.com 
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Supplier Name: 


Personal Cipher Card 


Supplier Name: 


UsrEZ Software Inc. 




Corporation 


Contact Name: 


Linda L. Cole 


Contact Name: 




Contact Title: 


Communications Manager 


Contact Title: 




Address: 


18881 Von Karman Avenue 


Address: 


3211 Bonnybrook Dr. N. 




Tower 17, Suite 1270 




Lakeland, FL 33811 




Irvine, CA 92715 


Phone Number: 


(941)644-5026 


Phone Number: 


(714)756-5140 


Fax Number: 


(914)644-1933 


Fax Number: 


(714)756-8810 


E-Mail: 


CompuServe: 72 130,3576 


E-Mail: 




Supplier Name: 


SecureNet Technologies Inc. 


Supplier Name: 


Vasco Data Security Inc. 


Contact Name: 


Joshua M. Sklare 


Contact Name: 


Erling Smedvig 


Contact Title: 


Sales Representative 


Contact Title: 


Sales Manager 


Address: 


2100 196th Street SW, Suite 124 


Address: 


1919 S. Highland Avenue, 




Lynnwood, WA 98036 




Suite 118-C 


Phone Number: 


(206)776-2524 




Lombard, IL 60148 


Fax Number: 


(206)776-2891 


Phone Number: 


(708)932-8844 


E-Mail: 




Fax Number: 


(708)495-0279 






E-Mail: 


ess@vdsi.com 


Supplier Name: 


Security Dynamics 


Supplier Name: 


Veritel Corporation 


Contact Name: 


David A. Hammond 


Contact Name: 


Robert Koretz 


Contact Title: 


Manager, Marketing 


Contact Title: 


Sales Representative 




Communications 


Address: 


640 North LaSalle Street, 


Address: 


One Alewife Center 




Suite 552 




Cambridge, MA 02140 




Chicago, IL 60610 


Phone Number: 


(617)234-7402 


Phone Number: 


(312)751-1188 


Fax Number: 


(617)354-8836 


Fax Number: 


(312)751-1322 


E-Mail: 




E-Mail: 




Supplier Name: 


Securix 






Contact Name: 


KhrisLoux 






Contact Title: 


VP, Sales & Marketing 






Address: 


4104 24th Street, Suite 341 








San Francisco, C A 94114 








(415)695-9474 






Phone Number: 


(415)695-0998 






Fax Number: 


khris@securix.com 






E-Mail: 
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